Step 4: CT1 and CT2 are both generated from the same challenge as explained in atoms post here https://hashcat.net/forum/archive/index.php?thread-5832.html so we can multicrack them, bonus. So you need to make a hashes.txt comprised of CT1:CHAL\nCT2:CHAL<EOF> essentially. You can do this manually or...

This is doable on a longer term engagement but I don't usually have that kind of time, we need more nodes. Way more nodes. With more nodes comes management, -s and -l work for this but running the calculations by hand sucks and using middleware sucks even more. So hell with it lets automate it, I wrote a handy skip and limit calculator detailed here https://hashcat.net/forum/thread-5850.html and what it does is generates -s and -l values for you. In hashcat it has the ability to assign a chunk of a workload and not all of it, -s skips ahead to the section of keyspace you want to start at and -l tells hashcat to stop after processing a portion of the keyspace, while --keyspace tells you the size of the total keyspace. From here its simple math.

In the script the keyspace is 34359738368 or the value of the first argument. You also define an array with the count of gpu's in each of your system for example (4 4 4 4) would be 4 nodes with 4 GPU's each for a total of 32 GPU's. Your chunk size is your keyspace divided by total number of gpu's. Your remainder your chunk size multiplied by your total number of gpu's and then take that value and subtract it from your keyspace, it should be small or 0.

Now you start a counter at 0, loop into the array. You add 1 to the counter, so the first item has a counter value of 1, and the case of your first item the skip count is zero and the limit is calculated by multiplying the chunk size by its gpu count and then adding the remainder. Skipcount for the next node becomes the limit of the first. Every subsequent node you calculate limit as chunksize * the number of gpu's and skipcount and keep incrementing skipcount to determine position, the script just automates the whole thing and every major middleware does exactly that to distribute workloads, this is also why you can't -s and -l a characterset file for pathwell and have to do it as 100 different jobs.

So I digress you generate -s and -l for each of your nodes and repeat the crack

Step 10) profit, you now have the NTLM hash ready for PTH from a MSCHAPv2 hash stolen over wireless from some contractor who didn't enforce certificate checking on WPA2-Enterprise, or stolen with responder on the network via NetNTLMv1.

Thank you, I'm Evil_Mog on twitter, or sometimes EvilMog on #hashcat in freenode

I have a Net-NTLMv1-SSP hash which was captured using Responder (LLMNR w/ SMB). The captured hash is listed below. I have read Mark Gamache’s blog and have tinkered with moxie0’s chapcrack but I still don’t understand how to convert NetNTLMv1 to $99$ format. Could someone shed some light on it for me, I’m sure I’m missing something simple.

--- from the above site---
The NTLM response is calculated as follows (see Appendix D for a sample Java implementation):

The MD4 message-digest algorithm (described in RFC 1320) is applied to the Unicode mixed-case password. This results in a 16-byte value - the NTLM hash.
The 16-byte NTLM hash is null-padded to 21 bytes.
This value is split into three 7-byte thirds.
These values are used to create three DES keys (one from each 7-byte third).
Each of these keys is used to DES-encrypt the challenge from the Type 2 message (resulting in three 8-byte ciphertext values).
These three ciphertext values are concatenated to form a 24-byte value. This is the NTLM response.
--- End Snippit

So 1B91B89CC1A7417DF9CFAC47CCDED2B77D01513435B36DCA is the NTLM response and 1122334455667788 is the challenge.

The final value PT3 you need to bruteforce locally using hashcat des mode 14000, the hash format will look like this:
7D01513435B36DCA:1122334455667788 the keyspace will be ?1?1? on -a charsets/DES_full.charset and should take at most a few seconds, once completed you concatenate the values and base64 encode them.

(10-01-2016, 09:19 PM)evilmog Wrote:
The final value PT3 you need to bruteforce locally using hashcat des mode 14000, the hash format will look like this:
7D01513435B36DCA:1122334455667788 the keyspace will be ?1?1? on -a charsets/DES_full.charset

Hey Guys, I'm sorry for the silly question, following the example, I'm having trouble cracking PT3.